While hackback is almost a taboo in our industry, we had two Fortune 500 customers ask about hackback within a few days of each other. It was surprising to say the least. Today, as a result of these and other inquiries, we’re launching a new product for legal hackback, Cymmetria MazeHunter. We are also releasing a legal hackback framework with a decision-making policy model which can be used to determine what can be done, under what considerations, and how far we can go.

With Cymmetria MazeHunter, we’re challenging the concept of hackback itself. We believe that there is no divide between hackback and incident response activities, rather that these activities exist on a wide spectrum of incident response, and somewhere along that spectrum they shift from “defender-side activity” to “attacker-side activity.”

As an industry, we need to take control. We know attackers can succeed if only they want to. With cyber deception, we’re turning the tables on attackers, shifting the inherent asymmetry we face. The burden of anomaly detection becomes the attackers’ problem, and this exponentially increases their costs. With legal hackback, we can now also engage with attackers and contain them.

Taking control and engaging with attackers inside our own networks is not only legal, it’s an ethical imperative. In fact, we should consider removing ourselves from the muddied hackback discussion, and opening up this new and important discussion for the industry to explore. We can call it Active Engagement.

What Cymmetria MazeHunter does

MazeHunter gives Cymmetria customers the ability to operate within the legal and ethical boundaries necessary to investigate and take action when interfacing with live adversaries, compromised hosts, and tools within the confines of their network environment.

You can pivot across attacker-controlled infrastructure in your own environment, not going outside your own zone of sovereignty and control. Effectively, we’re instrumenting the attackers’ bastion hosts, allowing defenders to affect the “5 D’s”: Deceive, Disrupt, Deny, Degrade, and Destroy. This provides live forensics, allows for discovery of other affected machines, and facilitates recovery of the attackers’ toolset, allowing the defender to see data being stolen and – most importantly – to contain and mitigate the attack.

MazeHunter is the evolution of a feature we’ve had in MazeRunner, Cymmetria’s cyber deception platform, for some time—collecting forensics from attacker-side computers on your network. Once MazeRunner detects an attacker, it immediately connects back to the attacker-controlled machine in your environment, obtaining their attack toolset (it runs netstat to see which process opened up the connection to the decoy, thus identifying the attackers’ toolset). With MazeHunter, instead of just pulling forensics, you can now run any payload of your choice, thus engaging with a confirmed, live attacker.

Types of legal hackback payloads

There are several categories of payload one can use when lawfully hacking-back in this fashion. Examples include:

Live engagement: Actively acting against an attacker, whether by deleting data that has been stolen, altering it (such as into a HoneyDoc), etc.

Containment: Containing the attacker-used machine, bricking it, or perhaps shutting it down

Most of these payloads are deployable without much difficulty, regardless of the attack stage. But as always, the more aggressive you get, the better it is to get your risk management and legal teams involved early.

For a legal analysis, please read this blog by Jonathan Braverman, detailing how we built our legal hackback framework and policy model which explores what is legal, when, and under what considerations.

Special thanks go to Nadav Lev and Imri Goldberg for making this project happen.

We welcome your feedback, questions, and comments. Please feel free to reach out to us.